Data obligations and risks to directors’ liabilities
You may have noticed in tender documents, contracts and service delivery agreements there appears to be a recent ramping up of prescriptive governance questions and liability demands around data security.
It might have something to do with the risks associated with big data and the increased scrutiny that comes with it. There is clearly a shift in overall data governance at director level.
It might also have something to do with the ramping up of due diligence by the regulators (ASIC, APRA and ACCC) since the banking Royal Commission.
This results in ever increasing pressure on boards and executive management.
Whilst in the past directors were expected to engage from an oversight perspective, there is now far more expectation that directors have a real understanding and knowledge of the organisation’s governance risk and liability in relation to its data security obligations.
Data obligations are about data security in the context of:
intentional or unintentional misuse of data particularly personal data of individuals and corporate sensitive data
exposure to unauthorised access such as cyber attacks brought about by insufficient data security measures within the organisation
Intentional or unintentional misuse of data
There are laws in Australia about what data you can collect, for what purpose and how this data can be used.
Some of most successful businesses collect and utilise big consumer data. Data collected for consumer related purposes often contains personal and sensitive information and can be utilised or exploited illegally.
So the board/directors need to be asking the question ‘What did we collect this data for and what can we legally use it for?’
Analytical tools available to organisations allow for sophisticated analysis and decision making, however directors need to ensure ethical considerations are imbedded in the use of personal and sensitive information such that no harm is done to individuals or groups.
Exposure to unauthorised access
Cyber security has become a significant risk to organisations.
The ASIC Commissioner suggests directors should be actively thinking about whether cyber security should be assessed more regularly than other risks.
Statistics indicate that approximately 80% of companies expect an increase in cyber risk over the next year yet generally about half of company boards can articulate the security level of their organisation nor the systems in place to mitigate a cyber-attack.
In 2010 cyber-security as a risk for businesses was not listed in the top 10 risks by Australian boards. In 2018 it was largely considered to be in the top 3 risks.
First and foremost, assign an individual within the organisation reporting directly to the board or a board member to inform on the status of data collection and use against the legal and regulatory requirements of the business jurisdictions. This should be a standard agenda item on executive and board meetings and reference legal obligations and controls in place.
Also assign financial and people resources to maintain and monitor cyber security risk within the organisation, also reporting directly to the board or an individual on the aboard.
Ensure the organisation has in place an action plan to address any breaches of legislation or imminent/known cyber-attack.
Initiate independent governance audits and tests [such as IT penetration testing] to maintain a risk assessment approach and keep informed on the status of director liability for big data.